Distributed Denial of Service (DDoS) attacks employing reflected UDP
amplification are regularly used to disrupt networks and systems. The
amplification allows one rented server to generate significant volumes
of data, while the reflection hides the identity of the attacker.
Consequently this is an attractive, low risk, strategy for criminals
bent on vandalism and extortion. To measure the uptake of this strategy
we analyse the results of running a network of honeypot UDP reflectors
(median size 65 nodes) from July 2014 onwards. We explore the life cycle
of attacks that use our reflectors, from the scanning phase used to
detect our honeypot machines, through to their use in attacks. We see a
median of 1450 malicious scanners per day across all UDP protocols, and
have recorded details of 5.18 million subsequent attacks involving in
excess of 3.31 trillion packets. Using a capture-recapture statistical
technique, we estimate that our reflectors can see between 85.1% and
96.6% of UDP reflection attacks over our measurement period.

[This is a practice talk for ecrime 2017 presenting a paper which is joint work with Richard Clayton and Alastair R. Beresford.]